Penetration Testing—Ethical Hacking CIS 4204 Class# 11431 Class Periods: MWF, 3, 9:35-10:25 Location: CSE E231 Academic Term: Fall 2019
Instructor: Joseph N. Wilson [email protected] 352-514-2191 (cell) Office Hours: MF 12:00-13:00, W 15:00-16:00, or by appointment, CSE E472
Teaching Assistant/Peer Mentor/Supervised Teaching Student: Please contact through the Canvas website • TBA
Course Description CIS 4204 Penetration Testing: Ethical Hacking 3 Credits Grading Scheme: Letter Grade Introduces principles and techniques associated with the cybersecurity practice known as penetration testing or ethical hacking. Covers planning, reconnaissance, scanning, exploitation, post-exploitation, and result reporting. Discover how system vulnerabilities can be exploited and learn to avoid such problems.
Course Pre-Requisites / Co-Requisites Prerequisite: COP 3530
Course Objectives This course teaches students the underlying principles and many of the techniques associated with the cybersecurity practice known as penetration testing or ethical hacking. Students will learn about the entire penetration testing process including planning, reconnaissance, scanning, exploitation, post-exploitation, and result reporting. The course will provide the fundamental information associated with each of the methods employed and insecurities identified. In all cases, remedial techniques will be explored. Students will develop an excellent understanding of current cybersecurity issues and ways that user, administrator, and programmer errors can lead to exploitable insecurities. Students will be able to successfully mount attacks against vulnerable services. Students will be able to explain the business risk of such vulnerabilities and identify how they can be avoided.
Materials and Supply Fees $?? Fee associated with use of ESX servers.
Professional Component (ABET): This course addresses engineering topics.
Relation to Program Outcomes (ABET): Outcome Coverage* 1. An ability to apply knowledge of mathematics, science and High engineering. (a)
Penetration Testing—Ethical Hacking, CIS 4204 Page 1 J.N. Wilson Fall 2019
2. An ability to design and conduct experiments, as well as to analyze High and interpret data. (b)
3. An understanding of professional and ethical responsibility. (f) Medium 4. A ability to communicate effectively. (3g2 written) High 5. The broad education necessary to understand the impact of Medium engineering solutions in a global, economic, environmental, and societal context. (h)
6. An ability to use the techniques, skills, and modern engineering High tools necessary for engineering practice.(k)
Required Textbooks and Software No required textbook. Numerous web materials form the required readings.
Recommended Materials • Title: The Hacker Playbook 2 • Author: Peter Kim • Publication date and edition: 2015 • ISBN: 978-1512214567
• Title: Penetration Tester's Open Source Toolkit • Author: Jeremy Faircloth • Publication date and edition: 2016 (4e) • ISBN: 978-0128021491
Course Schedule Week 1: Introduction, Penetration Testing Models, Penetration Testing—What is it Really, Ground Rules for an Engagement, Ethics for Penetration Testers Week 2: US Cybercrime Laws, International Cybercrime Laws, VMs Kali, Linux, etc., Penetration Test Report, Reconnaissance Open Source Intelligence, OS Int Example, Reconnaissance, Whois, DNS, Nslookup, Zone Transfer, Fierce, CeWL Week 3: A Little Networking, TCP In More Detail, UDP, ICMP, Traceroute, Wireshark, Network Discovery Week 4: More Network Discovery, Service Discovery, OpenVAS Vulnerability Scanner, Metasploit Introduction, Using the Meterpreter, Unix/Linux Password Security Week 5: Buffer Overflows, Smashing the Stack for Fun and Profit, Cracking Unix/Linux Passwords, Windows Passwords, More About Password Cracking, Pivoting with Netcat Week 6: Pass the Hash, PSExec, Kerberos Golden and Silver Tickets, Windows Post-exploitation, The Many Modules of Mimikatz, Local vs Domain Accounts, UAC Bypass, Metasploit Pivoting Week 7: Active Directory, gpp Local Admin, Sticky Keys to the Kingdom, Antivirus Evasion, Using the Veil Framework (or something similar) Week 8: ARP Spoofing and Cache Poisoning, SSLStrip (Exploiting User Assumptions), HTTP Strict Transport Security, Windows Command-line Administration Basics, More Ways to Pivot, More Windows Exploits and Responder, Shadow Brokers and All That, Cult of the Dirty Cow Week 9: Web Hacking, HTTP, Using a Web Proxy, XSS, Browser Exploitation, Cross-site Request Forgery Week 10: Web Audit Tools, SSRF and Path Normalization, Wireless Hacking, WPA2EAP, KrackAttack Week 11: Wireless Attacks Reaver, Kismet, Scapy and Wireless Packets, ECPA, Cellular Telephone Network Security Week 12: Exploiting Physical Access, Android Device Security, iOS Device Security Penetration Testing—Ethical Hacking, CIS 4204 Page 2 J.N. Wilson Fall 2019
Week 13: Mobile App Pentesting, App Pentesting Tools Week 14: Hacking IoT Devices, Social Engineering, Pentesting Azure Applications Week 15: How Not to be Bad at Pentesting (John Strand DerbyCon 2014) Week 16: Review
Attendance Policy, Class Expectations, and Make-Up Policy Students are expected to attend every class. University of Florida policy for excused absences applies. Requirements for make-up exams, assignments, and other work in this course are consistent with university policies. Excused absences must be consistent with university policies in the undergraduate catalog (https://catalog.ufl.edu/ugrad/current/regulations/info/attendance.aspx) and require appropriate documentation.
Evaluation of Grades Grading is based on quiz grades, practical exercises (in which the student must successfully solve a number of problems—several per week), participation in CTF (capture the flag) tournaments (at least 10 hours of cumulative effort in at least 3 separate events), and final examination. Quizzes are given in each class after the first and are to be completed online in the first five minutes of class. The five lowest quiz grades are dropped as students are allowed to miss five classes and their respective quizzes. Beyond that, absences must be excused. Final examination leeway points are provided for submission of CTF problem solutions for which points were awarded to the UF Student Infosec Team’s CTF team (2 points of final examination credit can be received for each such solution up to a maximum of 6 points). The final examination will be similar to an industry certification examination such as SANS GIAC or ECCouncil CEH. Assignment Total Points Percentage of Final Grade Quizzes 3 each 20% Lab Exercises 10 each 40% CTF Participation 2 per hour 20% Final Exam 100 20% 100%
Grading Policy Percent Grade Grade Points 93.34 - 100 A 4.00 90.00 – 93.33 A- 3.67 86.67 - 89.99 B+ 3.33 83.34 - 86.66 B 3.00 80.0 - 83.33 B- 2.67 76.67 - 79.99 C+ 2.33 73.34 - 76.66 C 2.00 70.00 - 73.33 C- 1.67 66.67 - 69.99 D+ 1.33 63.34 - 66.66 D 1.00 60.00 - 63.3 3 D- 0.67 0 - 59.99 E 0.00
More information on UF grading policy may be found at: https://catalog.ufl.edu/ugrad/current/regulations/info/grades.aspx
Students Requiring Accommodations
Penetration Testing—Ethical Hacking, CIS 4204 Page 3 J.N. Wilson Fall 2019
Students with disabilities requesting accommodations should first register with the Disability Resource Center (352-392-8565, https://www.dso.ufl.edu/drc) by providing appropriate documentation. Once registered, students will receive an accommodation letter which must be presented to the instructor when requesting accommodation. Students with disabilities should follow this procedure as early as possible in the semester.
Course Evaluation Students are expected to provide professional and respectful feedback on the quality of instruction in this course by completing course evaluations online via GatorEvals. Guidance on how to give feedback in a professional and respectful manner is available at https://gatorevals.aa.ufl.edu/students/. Students will be notified when the evaluation period opens, and can complete evaluations through the email they receive from GatorEvals, in their Canvas course menu under GatorEvals, or via https://ufl.bluera.com/ufl/. Summaries of course evaluation results are available to students at https://gatorevals.aa.ufl.edu/public-results/.
University Honesty Policy UF students are bound by The Honor Pledge which states, “We, the members of the University of Florida community, pledge to hold ourselves and our peers to the highest standards of honor and integrity by abiding by the Honor Code. On all work submitted for credit by students at the University of Florida, the following pledge is either required or implied: “On my honor, I have neither given nor received unauthorized aid in doing this assignment.” The Honor Code (https://sccr.dso.ufl.edu/policies/student-honor-code-student-conduct-code/) specifies a number of behaviors that are in violation of this code and the possible sanctions. Furthermore, you are obligated to report any condition that facilitates academic misconduct to appropriate personnel. If you have any questions or concerns, please consult with the instructor or TAs in this class.
Commitment to a Safe and Inclusive Learning Environment The Herbert Wertheim College of Engineering values broad diversity within our community and is committed to individual and group empowerment, inclusion, and the elimination of discrimination. It is expected that every person in this class will treat one another with dignity and respect regardless of gender, sexuality, disability, age, socioeconomic status, ethnicity, race, and culture.
If you feel like your performance in class is being impacted by discrimination or harassment of any kind, please contact your instructor or any of the following: • Your academic advisor or Graduate Program Coordinator • Robin Bielling, Director of Human Resources, 352-392-0903, [email protected] • Curtis Taylor, Associate Dean of Student Affairs, 352-392-2177, [email protected] • Toshikazu Nishida, Associate Dean of Academic Affairs, 352-392-0943, [email protected]
Software Use All faculty, staff, and students of the University are required and expected to obey the laws and legal agreements governing software use. Failure to do so can lead to monetary damages and/or criminal penalties for the individual violator. Because such violations are also against University policies and rules, disciplinary action will be taken as appropriate. We, the members of the University of Florida community, pledge to uphold ourselves and our peers to the highest standards of honesty and integrity.
Student Privacy There are federal laws protecting your privacy with regards to grades earned in courses and on individual assignments. For more information, please see: https://registrar.ufl.edu/ferpa.html
Campus Resources:
Penetration Testing—Ethical Hacking, CIS 4204 Page 4 J.N. Wilson Fall 2019
Health and Wellness U Matter, We Care: Your well-being is important to the University of Florida. The U Matter, We Care initiative is committed to creating a culture of care on our campus by encouraging members of our community to look out for one another and to reach out for help if a member of our community is in need. If you or a friend is in distress, please contact [email protected] so that the U Matter, We Care Team can reach out to the student in distress. A nighttime and weekend crisis counselor is available by phone at 352-392-1575. The U Matter, We Care Team can help connect students to the many other helping resources available including, but not limited to, Victim Advocates, Housing staff, and the Counseling and Wellness Center. Please remember that asking for help is a sign of strength. In case of emergency, call 9-1-1.
Counseling and Wellness Center: http://www.counseling.ufl.edu/cwc, and 392-1575; and the University Police Department: 392-1111 or 9-1-1 for emergencies.
Sexual Discrimination, Harassment, Assault, or Violence If you or a friend has been subjected to sexual discrimination, sexual harassment, sexual assault, or violence contact the Office of Title IX Compliance, located at Yon Hall Room 427, 1908 Stadium Road, (352) 273-1094, [email protected]
Sexual Assault Recovery Services (SARS) Student Health Care Center, 392-1161.
University Police Department at 392-1111 (or 9-1-1 for emergencies), or http://www.police.ufl.edu/.
Academic Resources E-learning technical support, 352-392-4357 (select option 2) or e-mail to [email protected]. https://lss.at.ufl.edu/help.shtml.
Career Resource Center, Reitz Union, 392-1601. Career assistance and counseling. https://www.crc.ufl.edu/.
Library Support, http://cms.uflib.ufl.edu/ask. Various ways to receive assistance with respect to using the libraries or finding resources.
Teaching Center, Broward Hall, 392-2010 or 392-6420. General study skills and tutoring. https://teachingcenter.ufl.edu/.
Writing Studio, 302 Tigert Hall, 846-1138. Help brainstorming, formatting, and writing papers. https://writing.ufl.edu/writing-studio/.
Student Complaints Campus: https://www.dso.ufl.edu/documents/UF_Complaints_policy.pdf.
On-Line Students Complaints: http://www.distance.ufl.edu/student-complaint-process.
Penetration Testing—Ethical Hacking, CIS 4204 Page 5 J.N. Wilson Fall 2019